Sherman's Security Blog
I am Sherman Hand. (also known as Policysup) I have created this blog and will use a part of my day to write about what is going on in the world. I hope to discuss things in a down to earth and practical way. I hope to hear back from you on your thoughts. I do not in any way intend to speak for my employer. The content of this blog will be either opinions that are strictly mine, general observations,re posts, or information that is already in the public domain.

A new study publicized this week claims that almost half of all American adults – about 110 million people – have had their personal data hacked in the past year.

Tallied by the Ponemon Institute and reported by CNN, the study claims that 47% of US adults have been hacked in the past 12 months, with up to 432 million “hacked accounts.”

It’s a frightening statistic, if true. Let’s take a look at the numbers.

Certainly there’s been a vast swath of the American population whose data has been compromised in the last year, with the biggest culprits being the breach of Target that leaked 40 million credit and debit card numbers, plus additional records, from a total of 70 million customers.

So with Target’s numbers alone we’re already at 70 million “hacked” individuals, which is a stunning figure in itself.

If you add to that the data breaches at Neiman Marcus, Michaels, and, more recently, eBay, then CNN’s claim of 110 million people hacked – “half of US adults” – starts to look very realistic, and maybe even on the low end.

But there are a few problems here.

An incomplete picture of data loss

CNN’s data comes from the Identity Theft Resource Center (ITRC), which tallies data breaches in the US reported by news media and government sources (CNN says it also got data from its “own review of corporate disclosures”).

The ITRC is very thorough in keeping its statistics, but only includes the numbers that have been disclosed – companies don’t always report the number of records lost due to varying breach notification laws, leaving an incomplete picture.

For example, eBay didn’t report how many of its 138 million accounts were exposed in the recent attack, so we are left to wonder – was it all 138 million accounts? Or, (unlikely but still a possibility), just one person’s account?

By the way, a “record” is a name plus another piece of personally identifying information (PII) of data such as a driver’s license number, credit card/debit card number, or medical record.

Because email addresses and passwords aren’t considered PII, companies are not required to disclose loss of them as a data breach – even though a hacker could use your email address and password to steal other relevant information about you that is PII.

What’s even more challenging in coming to a reliable tally is that, according to the ITRC, organizations only disclosed the number of records lost in 60% of the data breaches in 2013.

Could that mean even more than 110 million people were hacked? Well, because there’s no data on the other 40% of data breaches, we just don’t know.

All this leads the ITRC to state on its website that:

Any efforts to accurately quantify the actual number of breaches, and resulting number of compromised records, are stymied in the absence of mandatory and uniform reporting requirements on a national level.

Let’s not forget that records from different breaches are connected to some of the same people multiple times – it’s likely that people who shopped at Target and had their credit card numbers stolen also had their email address stolen from AOL, or their account number swiped from eBay.

So how does CNN get its number of 110 million individuals “hacked” in the past year, and up to 432 million accounts breached?

ITRC’s data shows that 91,978,932 records were breached in 2013, and another 8,533,800 have been confirmed lost so far in 2014.

That brings us to about 100 million records confirmed lost for 2013 and 2014 – a far cry from the 432 million accounts claimed by CNN.

“Hacked” is not the same as lost or stolen

Not all of those records were “hacked” by cybercriminals, but many were exposed accidentally through employee negligence, or by insider theft.

When you consider that the 24/7 news media needs provocative headlines to drive clicks and to win advertising dollars, CNN’s claim starts to make a little bit more sense.

The headline “Half of American adults hacked in past year” looks great, but it would have been more accurate if they’d have written “We have no idea how many Americans were hacked last year but it’s probably a very high number”.

And what of the rest of the world?

Well, according to another headline-grabbing report, more than 820 million records were exposed in data breaches worldwide in 2013.

Whatever the real number of individuals affected by these data disasters is – and we really, truly just don’t know – it’s still way too high.